On 05/01/17 09:22, Laurentiu Pancescu wrote: > Hi there, > > I stumbled upon an older post by Johnny Hughes about gpg-checking the > repository metadata. [1] In the mean time, we seem to have signed > metadata not only for "updates", but also for "base", "extras" and > "centosplus" (just the "base" signature for CentOS Linux 6 is missing). > > What are the reasons for not enabling the repo gpg check in our default > installation? Would it be a bad idea to do that in our Vagrant images? if all the metadata is now signed, the corresponding centos-release can carry the gpgcheck enabled. as a distro flag - this is a huge change. We just need to make sure ( quantify ? ) that we dont break existing installs. In most cases, this is just a case of orchestrating it right ( ie, maybe centos-release with the enabled flag needs to the staged out, in a way that only people with all the repos signed are going to see this new file, and do it as a second cycle ). Regards -- Karanbir Singh +44-207-0999389 | http://www.karan.org/ | twitter.com/kbsingh GnuPG Key : http://www.karan.org/publickey.asc